Privacy Policy

What we store, and why it’s safe

We hold as little of your personal data as possible, keep what we do hold encrypted, and don’t share it.

Most of what mySites.guru stores about your sites is integers and a handful of strings, such as the platform name or a preference value. When you revoke our access or cancel, your sites keep working exactly as before, because we don’t own your data and never did.

We are registered with two Information Commissioners (UK and Jersey, Channel Islands), our connector is open source and GPL-licensed, and we’ve operated under these rules for over a decade.

Questions? Get in touch. A human replies.

Vendors we use

Being listed here doesn’t mean we share your data with them. This is the complete list of third-party vendors we integrate with to run the service. We send the minimum amount of data needed, and only when needed, and only when you opt into certain features such as AI analysis or Client Reports.

Not all of what we pass is Personal Data (as defined by GDPR and UK data protection law). A lot of it is technical, anonymous, or plain binary, such as version numbers, counts, flags, and hashes.

• ✓ Amazon SES · transactional email delivery
• ✓ Amazon S3 / CloudFront · screenshot and asset storage
• ✓ Anthropic (Claude) · AI malware and threat analysis
• ✓ Cloudflare · reverse proxy, security, CDN
• ✓ DigitalOcean · hosting (London, UK)
• ✓ EU VIES · EU VAT number checks
• ✓ Google reCAPTCHA · bot prevention on sign-up and forms
• ✓ HMRC · UK accounting submissions
• ✓ Live Chat · support chat
• ✓ MailChimp / Mandrill · mailing list, client reports if you opt in
• ✓ OpenAI · AI malware and threat analysis (alternative engine)
• ✓ PayPal · alternative payments
• ✓ Postmark · transactional email (fallback provider)
• ✓ ROS.ie · EU VAT submissions (Ireland)
• ✓ Screenshot Layer · website screenshots
• ✓ Senja · customer reviews
• ✓ Stripe · card payments
• ✓ UK HMRC · UK VAT number checks
• ✓ WhoisAPI · domain WHOIS lookups
• ✓ Wordfence Intelligence · WordPress vulnerability feed
• ✓ Your card issuer · to authorise payment
• ✓ Zoho · accounting, invoicing

1. Awareness

Everyone building and running mySites.guru is GDPR-aware. The service is owned by Blue Flame Digital Solutions, a UK company.

Code deployed to any platform is reviewed by the Data Controller named below. That’s a second pair of human eyes on every change, whether the author is staff or a contractor.

2. Information we hold

We store the minimum needed to run the service, covering two groups:

• 2.1 Customers (the operators using mySites.guru)
• 2.2 Customers’ Joomla and WordPress sites (your end users)

We don’t share or resell any user data beyond what’s described on this page.

2.1 Information held on our users

What we collect

Strictly what the service needs:

• Email address
• First and last name
• Full invoice address
• VAT number, country, and status
• Social login IDs (Google, GitHub, Facebook) if you use them
• Twitter name (deprecated, retained for old accounts)
• IP address and timezone
• Card details including optional billing address (handled by Stripe)
• Username and password (one-way hashed, never stored in plain text)

Who collects it

mySites.guru, controlled by the Data Controller listed below.

How

You enter it during sign-up and while using the service. Submitting it is how you grant consent to process it. A handful of third parties such as MailChimp enrich it with metadata like your mail client when they serve our email.

Why

To provide the service you signed up for: authentication, billing, debugging, and anonymous stats we use to improve the product.

Who we share it with

The full list is in the Vendors we use section above.

Likely effect

The service runs, billing automates, and you can unsubscribe from any mailings at any time.

3. Communicating privacy information

This page is it.

Everything we have to say on the matter lives here, and we keep it current.

4. Your rights under GDPR

Right to be informed

This page. You’re reading it.

Right of access

Everything we hold on you is in your mySites.guru account and exportable on demand from your account privacy page.

Right of rectification

Contact us and we’ll update it.

Right of erasure

Contact us. We’ll act within legal timescales.

Right to restrict processing

We only process the data described on this page.

Right to data portability

Use the Export button in your account, any time.

Right to object

Contact us.

Right not to be subject to automated decision-making or profiling

We don’t do that, and we never will.

5. Subject access requests

We reply to every access request, yes or no, within a week. The legal limit is one month. Free for paid and free accounts alike.

Or skip the queue and export your personal data yourself from your mySites.guru account. Same information, instant.

6. Lawful basis for processing

Data we hold is based on consent you gave by signing up, plus the logged interactions showing your ongoing use of the account.

Connecting a site to mySites.guru is a deliberate, multi-step action by a site super-admin who is also the account holder. That act grants consent for us to use the connector and process the data we need to deliver the service.

Signing up adds you to the mailing list. You can change what we send you at any time in your notification preferences.

7. Consent

Consent is explicit: you give it when you enter data, or when you install the mySites.guru connector on a site you run.

We never source personal data from anywhere else, manually or automatically. You give us the data, or we don’t have it.

Connecting a site grants ongoing consent for the connector to operate. We don’t prompt you each time it runs.

8. Children

mySites.guru is a business-to-business service and isn’t offered to children. We don’t age-gate sign-up.

9. Data breaches

We actively monitor for unauthorised access and harden our systems continuously to reduce the attack surface.

Security reports go to phil@phil-taylor.com. We process them same-day and pay bounties for valid findings.

What we do to reduce the attack surface

• Aggressive firewalls and network isolation throughout the infrastructure.
• No public internet access to our servers. Only Phil Taylor can reach the live platform.
• We track CVEs in every library we depend on and patch as soon as fixes land.
• 2FA on every sensitive third-party account.
• Data stores and sensitive backends live on separate servers behind separate firewalls.
• Backups run every 3 hours, GPG-encrypted, held for at most one month, stored off-site.
• Encryption keys live on different physical hardware to the database.
• Multiple systems would have to be hacked, and encryption broken, to issue a single valid request to a connected site.

10. Data protection by design

Security comes first when we design anything new. We protect the integrity of the system, then the data it stores.

Our engineers know software and network security well. That shapes the architecture before a line of code is written.

11. Data Controller

Under GDPR we operate with a Data Controller rather than a Data Protection Officer:

12. International

mySites.guru may, through its users, process data from individuals across the EU.

The service is run by Blue Flame Digital Solutions Limited, a UK company managed from Jersey, Channel Islands (outside the EU). Our main establishment is Jersey, so our supervisory authority sits there, and the UK’s Information Commissioner also applies.

Blue Flame Digital Solutions Limited is registered with the UK Information Commissioner and the Jersey Information Commissioner, and fully complies with the Data Protection (Jersey) Law 2018.